Numerous, numerous sources are reporting that the California Department of Child Support Services breached the personal information of approximately 800,000 California residents when four backup tapes went missing when they were sent via FedEx from Colorado to California. Needless to say, encryption -- the same that powers AlertBoot's laptop encryption software -- should have been used.

I mean, this is not the first time that sensitive material goes missing when FedEx'ed. What were all involved parties thinking?

IBM, Iron Mountain to Blame

The story is one centered around irony. From washingtonpost.com (my emphases):

The cartridges had been sent to IBM’s facility in Boulder as part of a disaster simulation, so the technology company could test whether it could run the state’s child support system remotely, said Christine Lally, a spokeswoman for the state’s Office of Technology Services.

After testing was completed successfully, the data cartridges were to be sent back to California. Typically, secure transportation for sensitive materials are provided to the state through Iron Mountain but the company doesn’t fly, so FedEx transported the cartridges.

A disaster simulation effects a disaster. And, apparently the tapes were not protected with encryption software. When are they simulating that scenario, the one where tapes go missing when shipped via FedEx?

Snark aside, people really ought to evaluate such scenarios. After hearing how FedEx lost radioactive rods, it kinda sticks in your head that it might be a good idea.

The blame for the situation lies less with the California Department of Child Support Services, and more with IBM and Iron Mountain: the former was testing the disaster simulation, and the latter had been contracted to transport the data.

You know, this is not the first time that Iron Mountain has been involved in the loss of data tapes. There is this instance, where GE's backup tape went missing from Iron Mountain's storage facilities. And this other one where a box of tapes, being transported by Iron Mountain fell of the truck.

However, you can't blame Iron Mountain solely for the breach. What were they supposed to do, send a driver from Colorado to California? That's over 1,000 miles! Cost-wise, it doesn't make sense. Of course they're going to ship it.

Since Iron Mountain is only transporting the tapes, it fell upon IBM to ensure that the data in those tapes were protected in the event something went wrong. It seems to me that IBM ought to have used encryption to secure the data before backing it up to the tapes.

The California Department of Child Support Services should get a pass on this one because it's obvious that they contracted out the data security to IBM.

What about FedEx? They get a pass, too, because they're constantly losing stuff. They're good, but they're not perfect, and they're not in the business of security...and everybody knows this. To rely on FedEx to not cause a data breach on 800,000 people is going about security the wrong way.

Affects More than Children

Now, just because the data belongs to Child Support Services doesn't mean that the information affects children.

The backup storage cartridges also contained addresses, driver’s license numbers, names of health insurance providers and employers for custodial and non-custodial parents, and their children. [washingtonpost.com]

The California Department of Child Support Services is recommending that everyone monitor their credit reports and such.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.